73 matches found
CVE-2026-41491
Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for...
EUVD-2026-28553
Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for...
CVE-2026-41491 Dapr: Service Invocation path traversal ACL bypass
Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for...
CVE-2026-41491
CVE-2026‑41491 affects Dapr. An ACL bypass vulnerability in service invocation lets an attacker exploit reserved URL characters and path traversal sequences in method paths, causing the access control policy to be evaluated against a different path than what the target application receives. The m...
Dapr 路径遍历漏洞
Dapr is a portable, serverless, event-driven runtime developed by Dapr Open Source. Versions of Dapr from 1.3.0 to 1.15.14, as well as versions from 1.16.0-rc.1 to 1.16.14 and from 1.17.0-rc.1 to 1.17.5, have a path traversal vulnerability. This vulnerability stems from the use of reserved URL...
CVE-2026-41491 vulnerabilities
Vulnerabilities for packages: dapr...
CVE-2026-41889 vulnerabilities
Vulnerabilities for packages: src, dapr, temporal-fips, seaweedfs, juicefs, step-ca-fips, cloudprober-fips, keda, openfga-fips, sftpgo-plugin-eventsearch, spicedb-fips, sqlexporter-fips, bento-fips, keda-fips, pgtimetable, vault, opentelemetry-collector-contrib-fips, vault-fips, envoy-gateway-fip...
CVE-2026-41491 vulnerabilities
Vulnerabilities for packages: dapr...
GHSA-J88V-2CHJ-QFWX vulnerabilities
Vulnerabilities for packages: openbao, kube-bench, keda, juicefs, src, spicedb, telegraf, temporal, rke2-cloud-provider, pgtimetable, flyte, temporal-server, dapr, certificate-transparency, timescaledb-parallel-copy, amass, grafana, steampipe, step-ca, kine, falcosidekick,...
GHSA-85GX-3QV6-4463 vulnerabilities
Vulnerabilities for packages: dapr...
GHSA-85GX-3QV6-4463 vulnerabilities
Vulnerabilities for packages: dapr...
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass via the service invocation access control process. An attacker can bypass access control policies and invoke unauthorized methods by submitting specially crafted method paths containing encoded path traversal...
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass via the service invocation access control process. An attacker can bypass access control policies and invoke unauthorized methods by submitting specially crafted method paths containing encoded path traversal...
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass via the service invocation access control process. An attacker can bypass access control policies and invoke unauthorized methods by submitting specially crafted method paths containing encoded path traversal...
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass via the service invocation access control process. An attacker can bypass access control policies and invoke unauthorized methods by submitting specially crafted method paths containing encoded path traversal...
Dapr: Service Invocation path traversal ACL bypass
Summary A vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path...
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass via the service invocation access control process. An attacker can bypass access control policies and invoke unauthorized methods by submitting specially crafted method paths containing encoded path traversal...
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass via the service invocation access control process. An attacker can bypass access control policies and invoke unauthorized methods by submitting specially crafted method paths containing encoded path traversal...
PT-2026-37119
Name of the Vulnerable Software and Affected Versions Dapr versions 1.3.0 through 1.15.13 Dapr versions 1.16.0-rc.1 through 1.16.13 Dapr versions 1.17.0-rc.1 through 1.17.4 Description An issue exists in the way access control policies for service invocation are handled. The Access Control List A...
CVE-2026-34986 vulnerabilities
Vulnerabilities for packages: agentbeat, zot, tw, skaffold, podman, skopeo-fips, skopeo, neuvector-scanner-fips, kyverno-fips, spicedb-fips, sqlexporter-fips, cloudflared, bento-fips, keda-fips, dex, harbor-fips, dex-fips, opencost-fips, kubescape-server-fips, syft, tekton-chains-fips, fulcio-fip...